Vulnerability Description
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Softwareag | Quartz | < 2.3.2 |
| Oracle | Apache Batik Mapviewer | 12.2.0.1 |
| Oracle | Banking Enterprise Originations | 2.7.0 |
| Oracle | Banking Enterprise Product Manufacturing | 2.7.0 |
| Oracle | Banking Payments | >= 14.1.0, <= 14.4.0 |
| Oracle | Communications Ip Service Activator | 7.3.0 |
| Oracle | Communications Session Route Manager | >= 8.2.0, <= 8.2.2 |
| Oracle | Customer Management And Segmentation Foundation | 18.0 |
| Oracle | Documaker | >= 12.6.0, <= 12.6.4 |
| Oracle | Enterprise Manager Base Platform | 13.2.1.0 |
| Oracle | Enterprise Manager Ops Center | 12.4.0.0 |
| Oracle | Flexcube Investor Servicing | 12.1.0 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Fusion Middleware Mapviewer | 12.2.1.3.0 |
| Oracle | Google Guava Mapviewer | 12.2.0.1 |
| Oracle | Hyperion Infrastructure Technology | 11.1.2.4 |
| Oracle | Jd Edwards Enterpriseone Orchestrator | <= 9.2.5.3 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Retail Back Office | 14.1 |
| Oracle | Retail Central Office | 14.1 |
Related Weaknesses (CWE)
References
- https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-externThird Party Advisory
- https://github.com/quartz-scheduler/quartz/issues/467Issue TrackingThird Party Advisory
- https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1Third Party Advisory
- https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22Issue Tracking
- https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019Issue Tracking
- https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d2Issue Tracking
- https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16ePatch
- https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f787Patch
- https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e8046785988Issue Tracking
- https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15Issue Tracking
- https://security.netapp.com/advisory/ntap-20221028-0002/Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
FAQ
What is CVE-2019-13990?
CVE-2019-13990 is a vulnerability with a CVSS score of 9.8 (CRITICAL). initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
How severe is CVE-2019-13990?
CVE-2019-13990 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-13990?
Check the references section above for vendor advisories and patch information. Affected products include: Softwareag Quartz, Oracle Apache Batik Mapviewer, Oracle Banking Enterprise Originations, Oracle Banking Enterprise Product Manufacturing, Oracle Banking Payments.